Method and system for providing access-specific key

ABSTRACT

An access specific key is provided for securing of a data transfer between a mobile terminal and a node of an access net. For authentication of the mobile terminal, a authentication server generates a session key, from which a basic key is derived and transferred to an interworking-proxy-server. The interworking-proxy-server derives the access specific key from the transferred basis key and provides the key to the node of the access net.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is based on and hereby claims priority to GermanApplication No. 10 2006 038 037.1 filed on Aug. 14, 2006, the contentsof which are hereby incorporated by reference.

BACKGROUND

The invention relates to a method and a system for providing anaccess-specific key for securing a data transfer between a mobileterminal and a node of an access network.

With the TCP/IP protocol, the Internet offers a platform for thedevelopment of higher-level protocols for the mobile sector. Since theInternet protocols are widely used, a large group of users can be tappedinto by upgrading the protocols appropriately for mobile environments.The known Internet protocols were not, however, originally designed formobile use. In known Internet packet switching, the packets areexchanged between stationary computers which neither change theirnetwork address nor roam between various subnetworks. In radio networksconnecting mobile terminals and computers, mobile computers MS (mobilestations) are frequently integrated into various networks. With the aidof an appropriate server, DHCP (Dynamic Host Configuration Protocol)makes it possible for an IP address and further configuration parametersto be assigned dynamically to a computer in a network. A computer whichis integrated into a network is automatically assigned a free IP addressby the DHCP protocol. If a mobile computer has DHCP installed, it hasonly to come within range of a local network which supports theconfiguration via the DHCP protocol. With the DHCP protocol, dynamicaddress allocation is possible, i.e. a free IP address is automaticallyallocated for a defined period. After this period has expired, eitherthe request has to be resubmitted by the mobile computer MS or the IPaddress can be allocated elsewhere.

With DHCP, a mobile computer MS can be integrated into a network withoutbeing configured manually. The only requirement is that a DHCP server beavailable. In this way, a mobile computer MS can use services of thelocal network and, for example, use files stored centrally. However, ifa mobile computer MS offers services itself, a potential service user isunable to locate the mobile computer MS since its IP address changes ineach network into which the mobile computer is integrated. The samehappens if an IP address changes during an existing TCP connection. Thisleads to the connection being interrupted. With Mobile IP, a mobilecomputer MS is therefore assigned an IP address which it also retains ina different network. When switching IP network conventionally, it isnecessary to adapt the IP address settings appropriately. Constantadaptation of the IP and known automatic configuration mechanismsinterrupts the existing connection when the IP address is switched. TheMIP protocol (RFC2002, RFC2977, RFC3344, RFC3846, RFC3957, RFC3775,RFC3776, RFC4285) supports the mobility of mobile terminals MS. With theknown IP protocols, the mobile terminal MS has to adapt its IP addresseach time it switches IP subnetwork in order for the data packetsaddressed to the mobile terminal MS to be routed correctly. In order tomaintain an existing TCP connection, the mobile terminal MS has toretain its IP address, as a switch of address will lead to aninterruption of the connection. The MIP protocol enables a transparentconnection between the two addresses, namely a permanent home addressand a second temporary care/of address. The care/of address is theparticular IP address at which the mobile terminal MS can currently bereached.

A home agent HA is a proxy of the mobile terminal MS, for as long as themobile terminal MS is not located in the original home network. The homeagent is continuously informed about the current whereabouts of themobile computer MS. The home agent HA is normally a component of arouter in the mobile terminal's home network. When the mobile terminalMS is located outside the home network, the home agent HA provides afunction in order that the mobile terminal MS can log on. The home agentHA then forwards the data packets addressed to the mobile terminal MS tothe current subnetwork of the mobile terminal MS.

A foreign agent FA is located in the subnetwork in which the mobileterminal MS is moving. The foreign agent FA forwards incoming datapackets to the mobile terminal MS or to the mobile computer MS. Theforeign agent FA is located in a so-called visited network. The foreignagent FA is also normally a component of a router. The foreign agent FAroutes all administrative mobile data packets between the mobileterminal MS and its home agent HA. The foreign agent FA unpacks thetunneled IP data packets sent by the home agent HA and forwards the datatherein to the mobile terminal MS.

The home address of the mobile terminal MS is an address at which themobile terminal MS can be reached permanently. The home address has thesame address prefix as the home agent HA. The care/of address is theparticular IP address which the mobile terminal MS uses in the visitednetwork.

The home agent HA maintains a so-called mobility binding table (MBT).The entries in this table serve in assigning the two addresses, i.e. thehome address and the care/of address, of a mobile terminal MS to oneanother and in rerouting the data packets correspondingly.

The MBT table contains entries concerning the home address, the care/ofaddress and a specification of the time span during which thisassignment is valid (lifetime). FIG. 1 shows an example of a mobilitybinding table MBT according to the related art.

The foreign agent FA contains a visitor list (VL) which containsinformation about the mobile terminals NS which are currently located inthe IP network of the foreign agent FA. FIG. 2 shows an example of thistype of visitor list according to the related art.

In order for a mobile computer NS to be integrated into a network, itmust firstly ascertain whether it is located in its home network or avisited network. In addition, the mobile terminal MS has to ascertainwhich computer in the subnetwork is the home agent and the foreignagent. This information is determined through so-called agent discovery.

The subsequent registration enables the mobile terminal MS tocommunicate its current location to its home agent HA. To do this, themobile computer or the mobile terminal MS sends the current care/ofaddress to the home agent. To register, the mobile computer MS sends aregistration request to the home agent. The home agent HA enters thecare/of address into its list and responds with a registration reply.There is, however, a security problem here. Since in principle anycomputer can send a registration request to a home agent HA, it couldeasily be simulated to a home agent HA that a computer had moved into adifferent network. In this way, a foreign computer could acquire all thedata packets of a mobile computer or mobile terminal MS without a senderfinding out. In order to prevent this, the mobile computer MS and thehome agent HA have shared secret keys. If a mobile computer MS returnsto its home network, it deregisters with the home agent HA as the mobilecomputer MS can now receive all data packets itself. A mobile radionetwork must have the following security characteristics inter alia.Information must be made accessible only to desired communicationpartners, i.e. undesired eavesdroppers must not be given access totransferred data. The mobile radio network must therefore have thecharacteristic of confidentiality. Besides this, authenticity must be agiven. Authenticity allows a communication partner to establish beyonddoubt whether a communication has actually been set up to a desiredcommunication partner or whether a foreign party is posing as thecommunication partner. Authentications can be carried out for eachmessage or for each connection. Where authentication is carried out on aconnection basis, the communication partner is identified once only atthe start of a session. It is then assumed for the remaining course ofthe session that the messages which follow continue to originate fromthe corresponding sender. Even where the identity of a communicationpartner is established, i.e. the communication partner is authenticated,the case can arise where this communication partner may not access allresources or may not use all services via the network. In this case, acorresponding authorization requires prior authentication of thecommunication partner.

In mobile data networks, messages have to cover longer pathways via airinterfaces and are consequently more easily accessible to potentialhackers. In mobile and wireless data networks, security aspectstherefore play a special role. Encryption techniques represent-a key wayfor increasing security in data networks. Through encryption, it ispossible to transfer data over insecure communication pathways, forexample over air interfaces, without unauthorized third parties gainingaccess to the data. For encryption, the data, i.e. the so-calledplaintext, has to be transformed with the aid of an encryption algorithminto ciphertext. The encrypted text can be transported over the insecuredata transmission channel and then decrypted or deciphered.

WiMax (Worldwide Interoperability for Microwave Access), a highlypromising wireless access technology, is being proposed as a newstandard which uses IEEE 802.16 for radio transmission. Using WiMax,transmitting stations are intended to supply a range of up to 50 km atdata rates of over 100 Mbit per second.

FIG. 3 shows a reference model for a WiMax radio network. A mobileterminal MS is located within the range of an access network (ASN:access serving network). The access network ASN is connected via atleast one visited network (visited connectivity service network VCSN) orintermediate network to a home network HCSN (home connectivity servicenetwork). The various networks are connected to one another viainterfaces or reference points R. The home agent HA of the mobilestation MS is located in the home network (HCSN) or in one of thevisited networks (VCSN).

WiMax supports two implementation variants of Mobile Internet Protocol(MIP), namely a so-called client MIP (CMIP), in which the mobile stationMS itself implements the MIP client function, and proxy MIP (PMIP), inwhich the MIP client function is implemented by the WiMax access networkASN. The functionality provided for this purpose in the ASN is called aproxy mobile node (PMN) or PMIP client. Therefore, MIP can also be usedwith mobile stations MS which do not themselves support MIP.

FIG. 4 shows the setting up of a connection by proxy MIP (PMIP), whenthe home agent HA is located in the visited network VCSN, according tothe related art.

After a radio connection has been set up between the mobile terminal MSand a base station BS, an access authentication is carried out firstly.The function of authentication, authorization and accounting is carriedout by so-called AAA servers (AAA: authentication, authorization andaccounting). Authentication messages are exchanged between the mobileterminal MS and the AAA server of the home network (HAAA), by whichmessages the address of the home agent HA and an authentication key areobtained. The authentication server in the home network contains theprofile data of the subscriber. The AAA server receives anauthentication request message which contains a subscriber identity ofthe mobile terminal. Following successful access authentication, the AAAserver generates an MSK key (MSK: master session key) to protect thedata transfer pathway between the mobile terminal MS and the basestation BS of the access network ASN. This MSK key is transmitted fromthe AAA server of the home network via the intermediate network CSN tothe access network ASN.

After access authentication, the DHCP proxy server in the access networkASN is configured, as can be seen from FIG. 4. If the IP address andhost configuration is already contained in the AAA reply message, allthe information is downloaded into the DHCP proxy server.

After successful authentication and authorization, the mobile station orthe mobile terminal MS sends a DHCP discovery message and assignment ofan IP address takes place.

If a mobile terminal MS is integrated into a network, the mobileterminal MS will possibly have to ascertain whether it is located in ahome network or a visited network. Furthermore, the mobile terminal MSmust ascertain which computer is in the respective network of the homeagent or the foreign agent. This information is determined throughso-called agent discovery. There are two types of agent discovery,namely agent advertisement and agent solicitation.

In agent advertisement, the agents, i.e. the home or foreign agents,periodically send broadcast messages to all the computers and mobileterminals of the subnetwork. Any computer which eavesdrops on thebroadcast messages within a defined period can thus identify the agentsin the respective subnetwork.

When a mobile terminal MS is reactivated, it is not generally practicalto wait for the next agent advertisement. The mobile terminal MS has toknow immediately in what subnetwork it is currently located. Usingso-called agent solicitation, the mobile terminal MS therefore sends arequest to all the computers of the respective subnetwork to carry outan agent advertisement. By agent solicitation, the mobile terminal MScan force the agents to reveal themselves immediately, so the waitingtime is reduced considerably. Agent solicitation is also carried outwhere an agent advertisement fails, for example in the event of packetloss or switching network. With the aid of agent discovery, a mobileterminal MS can also establish whether it is located in its home networkor in a visited network. Based on the packet information within an agentadvertisement message, the mobile terminal MS identifies its home agentHA. If the mobile terminal MS receives message packets from a visitednetwork, then it can additionally establish whether its position haschanged since the last advertisement. If the mobile terminal MS does notreceive an advertisement message, the mobile terminal MS initiallyassumes that it is located in the home network and the home agent HA isfaulty. The mobile terminal MS then tries to establish contact with therouter of the network in order to confirm this assumption. If the mobileterminal MS is not located in its home network, it subsequently tries toaccess a DHCP server and to obtain an address of the subnetwork. If thisis successful, the mobile terminal MS uses this address as a so-calledcolocated care/of address and establishes contact with the home agentHA. The colocated care/of address is an address which is assigned to themobile terminal MS in the visited network and is also communicated tothe home agent HA.

A distinction is made between network-based mobility management (PMIP)and terminal-based mobility management (CMIP). In terminal-basedmobility management (CMIP), the terminal supports Mobile IP (MIP). FIG.4 shows the setting up of a connection using known network-basedmobility management (PMIP), while FIG. 5 represents the setting up of aconnection using known terminal-based mobility management (CMIP).

When a connection is set up between the mobile terminal MS and thenetwork, the authentication server of the home network (H-AAA), aftersuccessfully authenticating the subscriber, sends an authenticationconfirmation message (SUCCESS). The authentication confirmation messagenotifies the authentication client that authentication of the subscriberhas been completed successfully.

In the case of proxy MIP or network-based mobility management (PMIP),the mobile terminal does not support Mobile IP or the corresponding MIPsoftware is not activated in the mobile terminal MS.

In the case of client MIP (CMIP) or terminal-based mobility managementon the other hand, Mobile IP is supported by the respective terminal ormobile station MS.

In proxy MIP, the mobile terminal MS recognizes only an IP addressassigned by the DHCP server. The care/of address of the mobile terminalMS is known not to the mobile terminal but to the PMP client, theforeign agent FA and the home agent HA. In client MIP, on the otherhand, the mobile terminal MS recognizes both its IP addresses, i.e. boththe home address and the care/of address.

As can be seen from FIGS. 4 and 5, MIP registration takes place after IPaddress assignment. In MIP registration, the home agent HA is informedabout the current location of the mobile terminal MS. To register, themobile terminal MS or the corresponding PMIP client sends a registrationrequest containing the current care/of address to a home agent HA. Thehome agent HA enters the care/of address in a list administered by itand responds with a registration reply. Since in principle any computercan send a registration request to a home agent HA, it could easily besimulated to a home agent HA that a computer or mobile terminal MS hadmoved into a different network. In order to prevent this, both themobile terminal MS and the home agent HA have a shared secret key,namely a Mobile IP key (MIP-KEY).

In proxy MIP, the registration request (MIPRRQ) is transferred from aPMIP client within the access network ASN via a foreign agent FA to thehome agent HA. The home agent HA has a key for the subscriber assignedto it by the relevant authentication server H-AAA and transfers this keywith the MIP registration reply, as shown in FIG. 4.

In terminal-based mobility management (CMIP), the registration requestmessage (MIPRRQ) is routed directly from the mobile terminal MS via theforeign agent FA to the home agent HA, as shown in FIG. 5.

In WiMax access networks, Proxy Mobile IP (PMIP) is used besides MobileIP (CMIP), in order to make mobility management possible for clientswhich do not themselves have any Mobile IP client functionality. InPMIP, a Proxy Mobile IP client, which carries out the MIP signaling onbehalf of the client, is provided in the access network. These mobilityprotocols are used in WiMax for a handover between two access networksASN or between two network access providers NAP. Here, the relevantWiMax home agent may be located optionally in a WiMax home network HCSNor in a visited WiMax network (VCSN). It is assumed in WiMax that a homeAAA server is located in the home network HCSN, which knows thelong-term cryptographic keys shared with the user as well as furtherusage parameters.

During registration, the WiMax home agent requests security parameters,for example temporary cryptographic keys, from the WiMax home AAAserver. These are needed so that only one authorized client can registerwith the home agent and in order to protect the MIP signaling. As partof the authentication and key agreement protocol which the mobileterminal executes with the authentication server, the mobile terminalcan also derive these security parameters itself. In a WiMax accessnetwork, an AMSK or Mobile IP root key (MIP-RK) is derived from the EMSKkey (extended master session key) and provided. From this Mobile IP rootkey further keys are then derived for protecting the differentcommunication pathways between the mobile node or the foreign agent FAand the home agent HA. Here, the different mobile IP variants such asmobile IP V6 and mobile IP V4 are derived through separate keysrespectively for Client Mobile IP and Proxy Mobile IP.

In known WiMax access networks, interworking or collaboration withnetworks of different types is not supported.

FIG. 6 shows the interworking between a WiMax access network and a 3rdGeneration Partnership Project (3GPP) home network according to therelated art. As can be seen from FIG. 6, in the WiMax access network anauthentication proxy server (AAA-Relay) is provided which has aninterworking unit (IWU) as an interface to the 3GPP home network. Wheninterworking with the 3GPP network, the authentication proxy servertakes over the key generation and key derivation which are necessary aspart of the logging on of the subscriber onto the network, in order toactivate Proxy Mobile IP for the subscriber or the mobile terminal. Inthe case of Proxy Mobile IP, a Proxy Mobile IP client is located in theASN gateway or authentication proxy server of the WiMax home networkWiMax-CSN. This WiMax home network WiMax-CSN is connected to the 3GPPnetwork, as can be seen in FIG. 6. With Proxy Mobile IP, it is thereforepossible for the interworking unit IWU to generate a mobile IP key(MIP-Key) when logging on to a network in order to safeguard the pathwaybetween the Proxy Mobile IP client and the home agent. Here, the ProxyMobile IP client may be located in the ASN gateway and consequentlyforms part of the access network infrastructure. It is not thereforenecessary in the case of Proxy Mobile IP to modify the 3GPPauthentication server, and the 3GPP authentication server does not haveto comply with the specifications of the WiMax access network.

In Client Proxy Mobile IP, however, interworking between the WiMaxaccess network and the 3GPP home network is not supported. No suitableprotocols currently exist for forwarding security parameters to theclient or the mobile terminal. The reason for this is that, in the knownprocedure, the mobile terminal derives these security parameters fromthe authentication and key agreement protocol.

SUMMARY

Therefore, it is desirable to establish a method and a system forproviding an access-specific key for safeguarding a data transferbetween a mobile terminal and a node of an access network, which alsoenable Client IP (CMIP) if the authentication server of the home networkdoes not support mobility management.

Described below is a method for providing an access-network-specific keyfor safeguarding a data transfer between a mobile terminal and a node ofan access network, wherein, during authentication of the mobileterminal, an authentication server generates a session key from which abase key is derived and transferred to an interworking proxy serverwhich from the transferred base key derives the access-network-specifickey and provides it to the node of the access network.

In an embodiment, the session key is formed by an MSK (master sessionkey) or by an EMSK (extended master session key).

In the method, a local master session key (MSK or EMSK), which forsecurity reasons must not leave the authentication server (AAA) of thehome network, is used in order to derive therefrom a pseudo or base keywhich is then transferred to an interworking proxy server, theinterworking proxy server deriving from the received base key thenecessary access-specific key according to the predetermined keyhierarchy and providing it for the respective nodes of the accessnetwork.

In an embodiment the authentication server is located in a home networkof the mobile terminal.

In an embodiment method, the base key is derived from the session key bya predetermined first derivation function.

This first derivation function may be a hashed message authenticationcode (HMAC) secure hash algorithm or message digest 5 algorithm formedby an HMAC-SHA1, HMAC-SHA256, HMAC-MD5, SHA1, SHA-256 or an MD5derivation function.

In an embodiment method, derivation of the base key is effected as afunction of the session key and a character string.

In an embodiment method, authentication of the mobile terminal by theauthentication server is effected by an extensible authenticationprotocol (EAP).

In a further embodiment method, authentication of the mobile terminal bythe authentication server is effected by a Universal MobileTelecommunications System-Authentication and Key Agreement (UMTS-AKA)protocol.

In an alternative embodiment method, authentication of the mobileterminal by the authentication server is effected by a HypertextTransfer Protocol-Digest-Authentication and Key Agreement(HTTP-Digest-AKA protocol).

In a further embodiment method, the transfer of data between theauthentication server and the interworking proxy server is effected by aDiameter or a Radius protocol.

In an embodiment method, the access network is formed by a WiMaxnetwork.

In an embodiment method, the home network is formed by a 3GPP network.

In an embodiment method, a Mobile IP root key is derived by theinterworking proxy server from the transferred base key by a secondderivation function.

Here, the second derivation function may be formed by an HMAC-SHA1,HMAC-SHA256, HMAC-MD5, SHA1, SHA-256 or an MD5 derivation function.

In an embodiment method, the access-specific key for securing a datatransfer between the mobile terminal and the node of the access networkis derived from the derived Mobile IP root key by a third derivationfunction.

This third derivation function may be an HMAC-SHA1, HMAC-SHA256,HMAC-MD5, SHA1, SHA-256 or an MD5 derivation function.

In an embodiment method an appropriate access-specific key is derivedfor each of the various data transfer paths between the node of theaccess network and the mobile terminal.

In an embodiment method, the mobile terminal also generates the sessionkey during authentication and derives therefrom the access-specific key.

Also described below is an authentication server for providing a basekey, from which an access-specific key for securing a data transferpathway between a mobile terminal and the node of an access network canbe derived, the authentication server generating during authenticationof the mobile terminal a session key and deriving therefrom by aderivation function the base key and providing it to an interworkingproxy server.

Also described below is an interworking proxy server for providing anaccess-specific key for securing a data transfer between a mobileterminal and a node of an access network, the interworking proxy serverderiving the access-network-specific key from a base key transferred byan authentication server and providing it to the node of the accessnetwork.

Also described below is a data transfer system using a plurality ofaccess networks and at least one home network of the mobile terminal, anauthentication server of the home network generating duringauthentication of a mobile terminal a session key and deriving therefroma shared base key which is transferred to the access networks which eachhave an interworking proxy server which derives at least oneaccess-specific key from the transmitted base key which is providedrespectively for securing a data transfer pathway between the mobileterminal and a node of the respective access network.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects and advantages of the method and of the systemfor providing an access-network-specific key for securing a datatransfer between a mobile terminal and a node of an access network willbecome more apparent and more readily appreciated from the followingdescription of the exemplary embodiments, taken in conjunction with theaccompanying drawings of which:

FIG. 1 is a mobility binding table according to the related art;

FIG. 2 is a visitor list according to the related art;

FIG. 3 is a block diagram of a reference model for a WiMax radionetwork;

FIG. 4 is a signal diagram of a connection setup using Proxy Mobile IP(PMIP) according to the related art;

FIG. 5 is a signal diagram of a connection setup using Client Mobile IP(CMIP) according to the related art;

FIG. 6 is a block diagram representing the interworking between a WiMaxaccess network and a 3GPP network according to the related art;

FIG. 7 is a block diagram with a possible embodiment of the system forproviding an access-network-specific key;

FIG. 8 is a signal diagram representing a possible embodiment of themethod for providing an access-network-specific key;

FIG. 9 is a further signal diagram representing a possible embodiment ofthe method for providing an access-network-specific key.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Reference will now be made in detail to the preferred embodiments,examples of which are illustrated in the accompanying drawings, whereinlike reference numerals refer to like elements throughout.

FIG. 7 shows a network architecture in which the method for providing anaccess-network-specific key can be used. A mobile terminal 1 (MS=mobilestation) is connected via an interface R1 to an access network 2(ASN=access service network). The access network 2 is connected via aninterface R3 to a visited network 3 (VCSN=visited connectivity servicenetwork). This visited network 3 is in turn connected via an interfaceR5 to a home network 4 (HCSN=home connectivity service network).

If the mobile terminal 1 moves from a first access network 2 to a secondaccess network 2′, a handover takes place between the first and thesecond access network. This handover is referred to in the WiMaxspecification as “macro mobility management” or else as “R3 mobility” or“inter ASN mobility”. The visited network 3 and the home network 4 arerespectively connected to a network of an access service provider (ASP)or to the Internet.

Each access network 2 contains a plurality of base stations 6 which arein turn connected via an interface R6 to an ASN gateway node 5. The ASNgateway node 5 shown in FIG. 6 illustrates an authenticator 5A, a MIPforeign agent 5B and optionally a PMIP client 5C as well as, optionally,an interworking proxy unit 7 with a programmed processor. An AAA server3A is located in each visited network 3, as shown in FIG. 6. In the homenetwork 4, there are also located an authentication server 4A with aprogrammed processor and a home agent 4B. In a possible alternativeembodiment, the interworking unit 7 is located in the home network 4.

At the mobile terminal 1 end, two cases have to be differentiated. Themobile terminal 1 itself supports Mobile IP and has its own CMIP clientor the mobile terminal 1 does not support Mobile IP and needs a PMIPclient 5C in the gateway node 5 of the access network 2.

FIG. 8 shows a signal diagram illustrating a possible embodiment of themethod, the interworking unit 7 being located in a first embodiment inthe access network 2 or in an alternative embodiment in the home network4. In the method, an access-network-specific key for securing a datatransfer between the mobile terminal 1 and any node of the accessnetwork 2 is provided, the authentication server 4A which is located inthe home network 4 of the mobile terminal 4 generating duringauthentication of the mobile terminal 1 a session key and deriving fromthis session key a base key which is transferred to the interworkingproxy server 7, as described in FIG. 7. The interworking proxy server 7derives from the received base key by a derivation function thenecessary access-specific key and provides it for the respective node ofthe access network 2. The session key from which the transferred basekey is derived is in one embodiment an MSK (master session key) or anEMSK (extended master session key). As described in FIG. 8, theauthentication server 4A derives from the extended master session keyEMSK a pseudo EMSK or a shared base key by an HMAC-SHA1 derivationfunction. In an alternative embodiment, this derivation function isformed by an HMAC-SHA256, an HMAC-MD5, an SHA1, an SHA256 or an MD5derivation function. The derived base key or pseudo key is transferredin an EAP success message together with the master session key MSK tothe interworking unit 7, which is embodied for example as aninterworking proxy server.

In a possible embodiment of the method, derivation of the base key or ofthe pseudo key PEMSK is effected as a function of the session key MSKand/or EMSK and, additionally, as a function of a character string, i.e.according to one of the variants:

PEMSK=H(MSK, EMSK, “String”),

PEMSK=H(MSK, “String”),

PEMSK=H(EMSK, “String”).

In the embodiment shown in FIG. 8, authentication of the mobile terminal1 is effected by an EAP data transfer protocol. In an alternativeembodiment, authentication of the mobile terminal is effected by anauthentication server 4A by a UMTS-AKA protocol or by an HTTP-Digest-AKAprotocol. Data transfer between the authentication server 4A and theinterworking proxy server 7 may use a Diameter or Radius protocol.

The derived base key or pseudo key represents an intermediate stage inthe key hierarchy. This base key can, as a shared base key, also betransmitted to various interworking proxy servers 7 which are providedin various access networks 2. The access networks 2 are for exampleWiMax networks. The home network 4 in which the authentication server 4a is located is, for example, a 3GPP network.

As soon as the interworking proxy server 7, as can be seen in FIG. 8,has received the transferred base key PEMSK, it forms by a secondderivation function a Mobile IP root key IMP-RK. The second derivationfunction can also be an HMAC-SHA1, HMAC-256, an HMAC-MD5, an SHA1, anSHA256 or an MD5 derivation function. In further embodiments, differentderivation functions or cryptographic key derivation functions KDF canalso be used. From the Mobile IP root key MIP-RK thus derived, furtheraccess-network-specific keys for securing a data transfer between themobile terminal 1 and a node of the access network 2 can be derived inaccordance with the key hierarchy. This third derivation function canalso be, for example, an HMAC-SHA1, HMAC-256, an HMAC-MD5, an SHA1, anSHA-256 or an MD5 derivation function

The Mobile IP root key MIP-RK is used in order to generate therefromapplication keys or access-network-specific keys, for example:

MN-HA-MIP4=H(MIP-RK, “String”|HA-IP)

MN-HA-CMIP6=H(MIP-RK, “String”|HA-IP)

MN-FA=H(MIP-RK, “String”|FA-IP) AND

FA-H=H(MIP-RK, “String”|FA-IP|HA-IP|NONCE).

The character “|” stands for the concatenation of the substrings.

Here, the key derivation can also be modified such that for PMIPV4 andCMIPV4 separate keys are derived, for example:

MN-HA-CMIP4=H(MIP-RK, “CMIP4MNHA”|HA-IP)

MN-HA-PMIP4=H(MIP-RK, “PMIP4MNHA”|HA-IP).

For each of the various data transfer pathways between nodes of theaccess network 2 and the mobile terminal 1, an appropriateaccess-network-specific key can be derived in this manner from theMobile IP root key which in turn is derived from the transmitted basekey.

In the method, the previous key derivation as part of an EAP-basednetwork logon of a subscriber is upgraded such that the interworkingproxy server 7 provides the access network with CMIP-suitable keys whichcan, if necessary, also be used for PMIP. In the method, the base key orthe pseudo key is derived by the authentication server from the MSKand/or the EMSK and/or further input, for example a character string, bya suitable key derivation function KDF.

FIG. 9 shows a signal diagram to illustrate the principle underlying themethod. During authentication of a mobile terminal 1 by anauthentication and key-agreement protocol, for example EAP based onRadius or Diameter, a security server or an authentication server 4Agenerates in a first network a base key or a pseudo key PTKS or apseudo-temporary cryptographic key based on the temporary cryptographickey TKS, for example a master session key MSK or EMSK. The pseudo keyderived with a derivation function is then transferred to aninterworking proxy server 7 which is located for example in a secondnetwork, an access-network-specific key being derived in turn for eachapplication server or node 8, 9 from a further derivation function. Eachapplication server 8, 9 then receives the access-specific key derivedfor it from the interworking proxy server 7. The data transfer pathwaybetween the terminal 1 and the respective application server 8, 9 isthen cryptographically protected by the transferred key.

With the method, it is possible to use authentication servers, forexample WLAN or 3GPP servers for WiMax access networks, theauthentication servers not having to provide the CMIP/PMIP functionalityexpected by the WiMax access network, but having merely to be upgradedwith the functionality for deriving a base key from the session key. Themethod also offers the advantage that in the case of a WiMax accessnetwork CMIP is also supported and consequently any restriction withregard to macro-mobility is avoided. With the method, the WiMax networkdoes not have to be modified or subjected to any further changes, apartfrom providing an interworking proxy server 7 in the WiMax network. Themobile terminal 1, the authentication server and the interworking proxyserver 7 know which base key or pseudo key they are using. This makes itpossible for different MIP keys (bootstrapping variants) to be supportedwithin the WiMax network. In the method, key material which originatesfor example from a 3GPP network is transformed into key material for theWiMax network, the WiMax networks being able to use the key formedwithout any adaptation being made.

In an embodiment of the method, the authentication functionality isestablished outside the WiMax network, for example in the 3GPP network.The method enables future WiMax-3GPP interworking without restrictionsin the WiMax network having to be conceded. A further advantage of themethod is that it can easily be upgraded for interworking betweenvarious networks and for providing keys for any applications. In themethod, only the interworking proxy server 7 has to know whichapplication-specific keys have to be provided and how these are to bederived. With the method, it is not therefore necessary for the homeauthentication server to be able to generate the keys needed for each ofthe different networks connected. Accordingly, it is relatively simplewith the method to connect different networks flexibly to the homenetwork.

In the method, the mobile terminal 1 also generates the session keyduring authentication and derives in a corresponding manner theaccess-network-specific key.

The system also includes permanent or removable storage, such asmagnetic and optical discs, RAM, ROM, etc. on which the process and datastructures of the present invention can be stored and distributed. Theprocesses can also be distributed via, for example, downloading over anetwork such as the Internet. The system can output the results to adisplay device, printer, readily accessible memory or another computeron a network.

A description has been provided with particular reference to preferredembodiments thereof and examples, but it will be understood thatvariations and modifications can be effected within the spirit and scopeof the claims which may include the phrase “at least one of A, B and C”as an alternative expression that means one or more of A, B and C may beused, contrary to the holding in Superguide v. DIRECTV, 358 F3d 870, 69USPQ2d 1865 (Fed. Cir. 2004).

The invention claimed is:
 1. A method for providing anaccess-network-specific key for securing a data transfer between amobile terminal and a node of an access network, comprising: generating,during authentication of the mobile terminal by an authenticationserver, a session key from which a base key is derived; transferring thebase key from the authentication server to an interworking proxy server;deriving the access-network-specific key from the base key by theinterworking proxy server; and providing the access-network-specific keyfrom the interworking proxy server to the node of the access network. 2.The method as claimed in claim 1, wherein the session key is formed by amaster session key or an extended master session key.
 3. The method asclaimed in claim 1, wherein the authentication server is located in ahome network of the mobile terminal.
 4. The method as claimed in claim1, wherein the base key is derived by a first derivation function. 5.The method as claimed in claim 4, wherein the first derivation functionis a hashed message authentication code (HMAC) secure hash algorithm ormessage digest 5 algorithm formed by one of an HMAC-SHA1, HMAC-SHA256,HMAC-MD5, SHA1, SHA-256 and MD5 derivation function.
 6. The method asclaimed in claim 1, wherein the base key is derived using a function ofthe session key and a character string.
 7. The method as claimed inclaim 1, wherein the access network is formed by a WiMax network.
 8. Themethod as claimed in claim 1, wherein the home network is formed by a3rd Generation Partnership Project network.
 9. The method as claimed inclaim 1, wherein said deriving by the interworking proxy server includesobtaining a Mobile Internet Protocol root key from the base key using asecond derivation function.
 10. The method as claimed in claim 9,wherein the second derivation function is a hashed messageauthentication code (HMAC) secure hash algorithm or message digest 5algorithm formed by one of an HMAC-SHA1, HMAC-SHA256, HMAC-MD5, SHA1,SHA-256 or MD5 derivation function.
 11. The method as claimed in claim10, wherein said deriving of the access-network-specific key forsecuring data transfer between the mobile terminal and the node of theaccess network includes operating on the Mobile Internet Protocol rootkey using a third derivation function.
 12. The method as claimed inclaim 11, wherein the third derivation function is a hashed messageauthentication code (HMAC) secure hash algorithm or message digest 5algorithm formed by one of an HMAC-SHA1, HMAC-SHA256, HMAC-MD5, SHA1,SHA-256 or an MD5 derivation function.
 13. The method as claimed inclaim 1, wherein said deriving obtains an appropriateaccess-network-specific key for each of various data transfer pathwaysbetween nodes of the access network and the mobile terminal.
 14. Themethod as claimed in claim 1, further comprising during theauthentication, the mobile terminal generating the session key andderiving therefrom the access-network-specific key.
 15. A data transfersystem used with a mobile terminal, comprising: a plurality of accessnetworks and at least one home network of the mobile terminal; anauthentication server of the home network, during authentication of amobile terminal, generating a session key, deriving a shared base keyfrom the session key and transferring the shared base key to the accessnetworks; and interworking proxy servers, each in a respective accessnetwork, deriving from the base key at least one access-network-specifickey respectively provided for securing a data transfer pathway betweenthe mobile terminal and a node of the respective access network.
 16. Thedata transfer system as claimed in claim 15, wherein said interworkingproxy server, for each node of the respective access network, derives anappropriate access-network-specific key from the base key.